Too Many Redirects

[joe-eklund]

Greetings-

I am attempt to deploy this into production and getting ERR_TOO_MANY_REDIRECTS when I attempt to go to the homepage in my browser.

I am deploying to a Docker Swarm cluster behind an HA Proxy load balancer. Do you have any thoughts on how to fix this? Here is my docker stack file:

version: '3.7'

services:
  blink:
    container_name: blink
    image: ghcr.io/janejeon/blink:latest
    deploy:
      restart_policy:
        condition: any
      placement:
        constraints:
          - node.role == manager
    networks:
      - blink_internal
    ports:
      - 3000:3000
    #command: npm run db:migrate
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /blink/certs:/certs
    environment:
      NODE_EXTRA_CA_CERTS: /certs/ca-bundle.crt
      PORT: 3000
      DATABASE_URL: postgres://knex@postgres/blink
      REDIS_URL: redis
      AUTO_MIGRATE: 1
      AUTO_SEED: 0

      # Backend Config
      HOMEPAGE: https://bit-app-pre.<my_domain>.tld
      BASE_URL: https://bit-pre.<my_domain>.tld

      ## Set to true/false to trust proxy according to https://github.com/jshttp/proxy-addr:
      ## true means taking the leftmost åddress of X-Forwarded-For (XFF);
      ## false means taking the remote address;
      ## a string means comma-delimited list of trusted proxy addresses;
      ## there are 3 pre-configured subnet names:
      ## - loopback - 127.0.0.1/8, ::1/128
      ## - linklocal - 169.254.0.0/16, fe80::/10
      ## - uniquelocal - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7
      #TRUST_PROXY: 'true' #'loopback,linklocal,uniquelocal'

      SESSION_DURATION: '9 hours'
      SESSION_SECRET: <something_secret>

      ## This is a shorter term rate limit, meant to account for "bursty" request patterns
      RATE_LIMIT_SHORT_WINDOW: '1 min'
      RATE_LIMIT_SHORT_MAX: 100

      ## This is the longer term rate limit, meant to generally limit the abuse of authentication and APIs
      RATE_LIMIT_LONG_WINDOW: '15 min'
      RATE_LIMIT_LONG_MAX: 200

      ## How long to wait before the backend gives up scraping a link
      LINK_TIMEOUT: '15 seconds'

      ## How long the cache should last for a redirect/301
      CACHE_MAX_AGE: '10 years'

      ## OIDC/Session Config - customize this to fit with your identity provider.
      OIDC_CLIENT_ID: <some_id>
      OIDC_ISSUER_BASE_URL: 'https://my_oidc_issuer.tld/openid'
      OIDC_HTTP_TIMEOUT: '15 seconds'

      ## OAuth2 Config for API access to Blink; disable if you don't use this
      OAUTH2_ENABLED: 'true'
      OAUTH2_JWT_ALGORITHMS: 'RS256'
      OAUTH2_JWT_AUDIENCE: ''
      OAUTH2_JWT_ISSUER: ''
      OAUTH2_JWT_SECRET: <something_secret>

      ### You can either specify a static secret or dynamically load the secret to the JWT token using JWKS.
      ### Setting OAUTH2_JWT_SECRET will use static secret, otherwise it will use dynamic secrets (recommended).
      #OAUTH2_JWKS_URI: ''
      #OAUTH2_JWKS_HTTP_TIMEOUT: '15 seconds'
      #OAUTH2_JWKS_REQUESTS_PER_MINUTE: '10'

      ## This will determine the default scope assigned to OAuth2 tokens
      OAUTH2_DEFAULT_SCOPE: 'user:create user:read link:*'

      # Frontend config
      REACT_APP_BASE_URL: $BASE_URL
  
  postgres:
    container_name: postgres
    image: postgres:14-alpine
    deploy:
      restart_policy:
        condition: any
      placement:
        constraints:
          - node.role == manager
    #ports:
    #  - 5432:5432
    environment:
      # keep this in sync w/ DATABASE_URL in your environment file/variable
      POSTGRES_DB: blink
      POSTGRES_USER: knex
      POSTGRES_HOST_AUTH_METHOD: trust
    volumes:
      - /blink/postgres:/var/lib/postgresql/data
    networks:
      - blink_internal
  
  redis:
    container_name: redis
    image: redis:7-alpine
    #ports:
    #  - 6379:6379
    networks:
      - blink_internal

networks:
  blink_internal:
    attachable: true

Blink docker logs:

{"level":30,"time":1654553182940,"pid":7,"hostname":"4d2fe4788db5","msg":"Starting server under production environment..."}
{"level":30,"time":1654553182941,"pid":7,"hostname":"4d2fe4788db5","msg":"Setting up DB..."}
{"level":30,"time":1654553183017,"pid":7,"hostname":"4d2fe4788db5","msg":"Connected to OIDC issuer"}
{"level":30,"time":1654553183028,"pid":7,"hostname":"4d2fe4788db5","msg":"Successfully set up DB. Starting server..."}
{"level":30,"time":1654553183029,"pid":7,"hostname":"4d2fe4788db5","msg":"Server listening on port 3000"}

I attempted to set more verbose logging by setting LOG_LEVEL in the blink environment variable section above to debug but that didn't seem to change any output.

I attempted to set the HOMEPAGE variable to http://my_docker_node.tld:3000 and bypass my proxy and I am still getting similar behavior, so I don't think the HA Proxy is messing with it. Seems like either a Blink configuration error on my part or a bug.

[joe-eklund]

To provide a small update to this. Looks like I was able to access the app and login (kinda) by going to https://bit-pre.<my_domain>.tld/app.

Still getting some strange behavior, like my username didn't get loaded in and the app doesn't load correctly on refresh. So I am still investigating. Still open to any ideas.

[JaneJeon]

Sorry I haven't been able to reply sooner (I'm at the airport), but I promise to get back to this soon. If I don't, just @ me

[joe-eklund]

I also have a list of behavior that I find strange, is maybe a bug, or just missing. It's difficult for me to tell if it is a configuration error or just a bug. Anyway, here's the list.

• I am getting no name on login. Either bug in app or configuration error with OAuth.
• Can’t go to https://<my_domain>.tld/app/links or refresh once in app. Either bug in app, but more likely some issue with our HA Proxy setup?
• Shorten link modal looks a bit weird. Boxes are not aligned.
• I don't see an "ok" or "save" button on shorten link modal. Have to press enter. Button would be nice.
• QR code is broken for me. Maybe it is using some external service that the my firewall is blocking? I see some CORS errors about an image when you create a link so something going on there.
• After creating link it doesn’t show up unless click refresh button, should auto update.
• Doesn’t tell me if I am creating a link to a duplicate end link. Just says "ok" but there is no new entry created.
• After deleting a link I get pop up toast that says Cannot read properties of undefined (reading ‘id’).
• Deleting a user just says Not Found.
• Deactivating a user seems to do nothing.
• Missing feature of group / team management so we don't just all see everyone's links.

I wasn't sure if I should make different tickets for this stuff so I just stuck it here.

Thanks!

[JaneJeon]

Okay wow, that's a lot that I somehow never encountered. For each issue, would appreciate a repro/logs.

[JaneJeon]

I do not see this in my own deployment. Without the HA/reverse proxy setup, I cannot reproduce this issue or even attempt to solve it. Please feel free to provide it and I will reopen it.

[DrMxrcy]

• it

I am getting a similar issue in my deployment as well. Have you figured it out?

[JaneJeon]

Hi, no reproduction has been provided by either you or the original poster. I cannot just "guess" what could be wrong with your setups, or where the problem might lie, when I don't know anything about how it is set up and being used, or how I can reproduce the problem myself.

[DrMxrcy]

Hi, no reproduction has been provided by either you or the original poster. I cannot just "guess" what could be wrong with your setups, or where the problem might lie, when I don't know anything about how it is set up and being used, or how I can reproduce the problem myself.

Is there anything in Specific I could provide to help?

[JaneJeon]

I'd need an exact, minimal reproduction (meaning I can reproduce it myself) of how you get that error in a consistent manner so that I can investigate.

Just posting your setup with a billion configuration isn't going to help me figure out exactly what has gone wrong and what caused it.

[DrMxrcy]

I am using EasyPanel.io, which is just A docker management Panel, it uses Traefik as a reverse proxy with a Lets Encrypt SSL

Images Used
ghcr.io/janejeon/blink:nightly
postgres:latest
redis:latest

Using a FQDN with Https in the ENV
Jumpcloud as my OIDC Provider

I am getting all the same errors above

#742 (comment)

[JaneJeon]

You seem to be very new to this, so try to think of it from my perspective - what would it take for me (you) to diagnose the problem?

"I am using EasyPanel.io" -> tells me nothing about how the Docker container is actually being run, with what network and DNS configurations, with what volumes, with what environment variables, with what databases setup in which way, etc.

"uses Traefik as a reverse proxy" -> again, tells me nothing about traefik setups or redirects or routing...

and so on and so forth (not to mention the fact that the way you're doing it, I cannot even reproduce your setup on my own).

Furthermore, even if you "dump" your reproduction, since there will be a million variables at play (given those variables would be specific to your setup), I cannot narrow it down to anything beyond "it doesn't work".

Start from the bottom - what is the smallest and simplest config (i.e. with the fewest external moving parts, such as your DNS setup and traefik and your hosting provider) that causes you to have such errors?